Merge remote-tracking branch 'origin/develop' into daniyar/multichain…

…-signature

Cargo.toml

@@ -5,6 +5,7 @@ members = [
     "node",
     "integration-tests",
     "load-tests",
+    "keys",
     "test-oidc-provider",
 ]
 

Dockerfile.multichain

@@ -8,12 +8,14 @@ RUN apt-get update \
 RUN echo "fn main() {}" > dummy.rs
 COPY node/Cargo.toml Cargo.toml
 RUN sed -i 's#src/main.rs#dummy.rs#' Cargo.toml
+RUN sed -i 's#mpc-keys = { path = "../keys" }##' Cargo.toml
 RUN sed -i 's#mpc-contract = { path = "../contract" }##' Cargo.toml
 RUN cargo build
 COPY . .
 RUN sed -i 's#"mpc-recovery",##' Cargo.toml
 RUN sed -i 's#"integration-tests",##' Cargo.toml
 RUN sed -i 's#"load-tests",##' Cargo.toml
+RUN sed -i 's#"keys",##' Cargo.toml
 RUN cargo build --package mpc-recovery-node
 
 FROM debian:stable-slim as runtime

contract/src/lib.rs

@@ -5,6 +5,10 @@ use std::collections::{BTreeMap, HashSet};
 
 type ParticipantId = u32;
 
+pub mod hpke {
+    pub type PublicKey = [u8; 32];
+}
+
 #[derive(
     Serialize,
     Deserialize,
@@ -22,6 +26,10 @@ pub struct ParticipantInfo {
     pub id: ParticipantId,
     pub account_id: AccountId,
     pub url: String,
+    /// The public key used for encrypting messages.
+    pub cipher_pk: hpke::PublicKey,
+    /// The public key used for verifying messages.
+    pub sign_pk: PublicKey,
 }
 
 #[derive(BorshDeserialize, BorshSerialize, Serialize, Deserialize, Debug)]
@@ -34,6 +42,7 @@ pub struct InitializingContractState {
 #[derive(BorshDeserialize, BorshSerialize, Serialize, Deserialize, Debug)]
 pub struct RunningContractState {
     pub epoch: u64,
+    // TODO: why is this account id for participants instead of participant id?
     pub participants: BTreeMap<AccountId, ParticipantInfo>,
     pub threshold: usize,
     pub public_key: PublicKey,
@@ -83,7 +92,13 @@ impl MpcContract {
         self.protocol_state
     }
 
-    pub fn join(&mut self, participant_id: ParticipantId, url: String) {
+    pub fn join(
+        &mut self,
+        participant_id: ParticipantId,
+        url: String,
+        cipher_pk: hpke::PublicKey,
+        sign_pk: PublicKey,
+    ) {
         match &mut self.protocol_state {
             ProtocolContractState::Running(RunningContractState {
                 participants,
@@ -100,6 +115,8 @@ impl MpcContract {
                         id: participant_id,
                         account_id,
                         url,
+                        cipher_pk,
+                        sign_pk,
                     },
                 );
             }

infra/modules/signer/main.tf

@@ -8,9 +8,13 @@ resource "google_cloud_run_v2_service" "signer" {
 
     annotations = var.metadata_annotations == null ? null : var.metadata_annotations
 
-    vpc_access {
-      connector = var.connector_id == null ? null : var.connector_id
-      egress    = "PRIVATE_RANGES_ONLY"
+    // Conditional block in case connector_id is present. See https://stackoverflow.com/a/69891235
+    dynamic "vpc_access" {
+      for_each = var.connector_id == null ? [] : [1]
+      content {
+        connector = var.connector_id == null ? null : var.connector_id
+        egress    = "PRIVATE_RANGES_ONLY"
+      }
     }
 
     scaling {

infra/mpc-recovery-dev/terraform-dev.tfvars

@@ -1,6 +1,6 @@
 env          = "dev"
 project      = "pagoda-discovery-platform-dev"
-docker_image = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery/mpc-recovery-dev:3b95ef518e320cf35438bbc2e39be71040769d99"
+docker_image = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery/mpc-recovery-dev:latest"
 
 account_creator_id           = "mpc-recovery-dev-creator.testnet"
 account_creator_sk_secret_id = "mpc-recovery-account-creator-sk-dev"

infra/mpc-recovery-prod/main.tf

@@ -17,20 +17,10 @@ locals {
   client_email = jsondecode(local.credentials).client_email
   client_id    = jsondecode(local.credentials).client_id
 
-  env = {
-    defaults = {
-      near_rpc          = "https://rpc.testnet.near.org"
-      near_root_account = "testnet"
-    }
-    testnet = {
-    }
-    mainnet = {
-      near_rpc          = "https://rpc.mainnet.near.org"
-      near_root_account = "near"
-    }
+  workspace = {
+    near_rpc          = "https://rpc.mainnet.near.org"
+    near_root_account = "near"
   }
-
-  workspace = merge(local.env["defaults"], contains(keys(local.env), terraform.workspace) ? local.env[terraform.workspace] : local.env["defaults"])
 }
 
 data "external" "git_checkout" {
@@ -39,7 +29,6 @@ data "external" "git_checkout" {
 
 provider "google" {
   credentials = local.credentials
-  # credentials = file("~/.config/gcloud/application_default_credentials.json")
 
   project = var.project
   region  = var.region
@@ -50,17 +39,16 @@ provider "google" {
  * Create brand new service account with basic IAM
  */
 resource "google_service_account" "service_account" {
-  account_id   = "mpc-recovery-prod"
-  display_name = "MPC Recovery prod Account"
+  account_id   = "mpc-recovery-mainnet"
+  display_name = "MPC Recovery mainnet Account"
 }
 
 resource "google_service_account_iam_binding" "serivce-account-iam" {
   service_account_id = google_service_account.service_account.name
   role               = "roles/iam.serviceAccountUser"
 
   members = [
-    "serviceAccount:${local.client_email}",
-    # "serviceAccount:mpc-recovery@pagoda-discovery-platform-prod.iam.gserviceaccount.com"
+    "serviceAccount:${local.client_email}"
   ]
 }
 
@@ -130,7 +118,7 @@ module "signer-mainnet" {
   count  = length(var.signer_configs)
   source = "../modules/signer"
 
-  env                   = "prod"
+  env                   = "mainnet"
   service_name          = "mpc-recovery-signer-${count.index}-mainnet"
   project               = var.project
   region                = var.region
@@ -157,7 +145,7 @@ module "signer-mainnet" {
 module "leader-mainnet" {
   source = "../modules/leader"
 
-  env                   = "prod"
+  env                   = "mainnet"
   service_name          = "mpc-recovery-leader-mainnet"
   project               = var.project
   region                = var.region

infra/mpc-recovery-prod/variables.tf

@@ -1,6 +1,3 @@
-variable "env" {
-}
-
 variable "project" {
 }
 

infra/mpc-recovery-testnet/main.tf

@@ -17,20 +17,10 @@ locals {
   client_email = jsondecode(local.credentials).client_email
   client_id    = jsondecode(local.credentials).client_id
 
-  env = {
-    defaults = {
-      near_rpc          = "https://rpc.testnet.near.org"
-      near_root_account = "testnet"
-    }
-    testnet = {
-    }
-    mainnet = {
-      near_rpc          = "https://rpc.mainnet.near.org"
-      near_root_account = "near"
-    }
+  workspace = {
+    near_rpc          = "https://rpc.mainnet.near.org"
+    near_root_account = "near"
   }
-
-  workspace = merge(local.env["defaults"], contains(keys(local.env), terraform.workspace) ? local.env[terraform.workspace] : local.env["defaults"])
 }
 
 data "external" "git_checkout" {
@@ -39,7 +29,6 @@ data "external" "git_checkout" {
 
 provider "google" {
   credentials = local.credentials
-  # credentials = file("~/.config/gcloud/application_default_credentials.json")
 
   project = var.project
   region  = var.region
@@ -50,8 +39,8 @@ provider "google" {
  * Create brand new service account with basic IAM
  */
 resource "google_service_account" "service_account" {
-  account_id   = "mpc-recovery-prod"
-  display_name = "MPC Recovery prod Account"
+  account_id   = "mpc-recovery-testnet"
+  display_name = "MPC Recovery testnet Account"
 }
 
 resource "google_service_account_iam_binding" "serivce-account-iam" {
@@ -60,7 +49,6 @@ resource "google_service_account_iam_binding" "serivce-account-iam" {
 
   members = [
     "serviceAccount:${local.client_email}",
-    # "serviceAccount:mpc-recovery@pagoda-discovery-platform-prod.iam.gserviceaccount.com"
   ]
 }
 

infra/mpc-recovery-testnet/variables.tf

@@ -1,6 +1,3 @@
-variable "env" {
-}
-
 variable "project" {
 }
 

infra/partner/main.tf

@@ -21,14 +21,6 @@ provider "google" {
   zone    = var.zone
 }
 
-provider "docker" {
-  registry_auth {
-    address  = "${var.region}-docker.pkg.dev"
-    username = "_json_key"
-    password = local.credentials
-  }
-}
-
 /*
  * Create brand new service account with basic IAM
  */
@@ -70,39 +62,14 @@ resource "google_secret_manager_secret_iam_member" "secret_share_secret_access"
   member    = "serviceAccount:${google_service_account.service_account.email}"
 }
 
-resource "google_secret_manager_secret_iam_member" "oidc_providers_secret_access" {
-  secret_id = var.oidc_providers_secret_id
-  role      = "roles/secretmanager.secretAccessor"
-  member    = "serviceAccount:${google_service_account.service_account.email}"
-}
-
-/*
- * Create Artifact Registry repo, tag existing Docker image and push to the repo
- */
-resource "google_artifact_registry_repository" "mpc_recovery" {
-  repository_id = "mpc-recovery-partner-${var.env}"
-  format        = "DOCKER"
-}
-
-resource "google_secret_manager_secret_iam_member" "secret_share_secret_access" {
-  secret_id = var.sk_share_secret_id
-  role      = "roles/secretmanager.secretAccessor"
-  member    = "serviceAccount:${google_service_account.service_account.email}"
-}
-
-resource "docker_tag" "mpc_recovery" {
-  source_image = var.docker_image
-  target_image = "${var.region}-docker.pkg.dev/${var.project}/${google_artifact_registry_repository.mpc_recovery.name}/mpc-recovery-${var.env}"
-}
-
 /*
  * Create a partner signer node
  */
 module "signer" {
   source = "../modules/signer"
 
   env                   = var.env
-  service_name          = "partner-service-name"
+  service_name          = var.service_name
   project               = var.project
   region                = var.region
   zone                  = var.zone
@@ -117,9 +84,7 @@ module "signer" {
   connector_id         = var.connector_id
 
   depends_on = [
-    docker_registry_image.mpc_recovery,
     google_secret_manager_secret_iam_member.cipher_key_secret_access,
-    google_secret_manager_secret_iam_member.secret_share_secret_access,
-    google_secret_manager_secret_iam_member.oidc_providers_secret_access
+    google_secret_manager_secret_iam_member.secret_share_secret_access
   ]
 }

infra/partner/template.tfvars

@@ -6,6 +6,8 @@ zone    = "us-east1-c"
 docker_image = "near/mpc-recovery"
 node_id      = "0"
 
-oidc_providers_secret_id = "mpc-recovery-allowed-oidc-providers-0-dev"
-cipher_key_secret_id     = "mpc-recovery-encryption-cipher-0-dev"
-sk_share_secret_id       = "mpc-recovery-secret-share-0-dev"
+cipher_key_secret_id = "mpc-recovery-encryption-cipher-0-dev"
+sk_share_secret_id   = "mpc-recovery-secret-share-0-dev"
+
+jwt_signature_pk_url = "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"
+service_name         = "mpc-recovery-signer-0-partner-dev"

infra/partner/variables.tf

@@ -33,10 +33,10 @@ variable "sk_share_secret_id" {
   type = string
 }
 
-variable "oidc_providers_secret_id" {
-  type = string
-}
-
 variable "jwt_signature_pk_url" {
 
-}
+}
+
+variable "service_name" {
+  type = string
+}

integration-tests/Cargo.toml

@@ -39,11 +39,12 @@ near-crypto = "0.17"
 near-fetch = "0.0.12"
 near-jsonrpc-client = "0.6"
 near-primitives = "0.17"
-near-lake-framework = { git = "https://github.com/near/near-lake-framework-rs.git", branch = "daniyar/reproduce" }
-near-lake-primitives = { git = "https://github.com/near/near-lake-framework-rs.git", branch = "daniyar/reproduce" }
+near-lake-framework = { git = "https://github.com/near/near-lake-framework-rs.git", branch = "daniyar/upgrade-sdk" }
+near-lake-primitives = { git = "https://github.com/near/near-lake-framework-rs.git", branch = "daniyar/upgrade-sdk" }
 near-units = "0.2.0"
 
 mpc-contract = { path = "../contract" }
+mpc-keys = { path = "../keys" }
 mpc-recovery = { path = "../mpc-recovery" }
 mpc-recovery-node = { path = "../node" }
 
@@ -57,8 +58,6 @@ tracing-log = "0.1.3"
 tokio-util = { version = "0.7", features = ["full"] }
 reqwest = "0.11.16"
 
-mpc-contract = { path = "../contract" }
-
 [features]
 default = []
 docker-test = []